If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

VMR-MDK-K2-011x8.sh for Kali2.0

MTeams did a series of tests with Datahost. If you use linux to download the files as posted, the normal zip file is received. If however you download thru XP OR possibly other windows based systems datahost loads a small .exe files in zip format instead.

Musket Teams have released VMR-MDK-K2-2017R-012x2 for Kali 2,2016,2017 and all versions of reaver

The aireplay-ng fake auth has been made regenerative.
Several bugs have been corrected, some thanks to dmatrix.
Comments requested by kcdtv have been added.
Script tested in both persistent usb installs and harddrive installs for reaver 1.52 and 1.53 and kali 2016 and 2017 using i386.
Expect the mac changing routines to be slowed. This is to support wifi receivers at the end of five(5) meter extension cables which is the max length allowed.

We do not support VM Ware and amd or persistent usb installs using luks encryption as we cannot test.

This program attempts to circumvent WPS locking. MTeams suggests you download the package and read thru the help files enclosed within the zip. After you read thru these help files, any technical questions, bugs or further help will be provided.

The fact that you have gotten 15% of the pins tells us the router is vulnerable to this approach. You have probably just locked up the firmware so stop the attack and try again 24 hours later. Once you start collecting pins again increase the pause/wash scan time so that you give the router more time to recover. Reduce the DDOS/MDK3 time to the bare minimum necessary to collect pins. Set the retest first pin to 50.

Try the attack once a day till pin collection starts again.

Keep in mind that this attack approach takes time and is slow. Do not try and rush the attack or overwhelm the firmware thru long doses of DDOS/MDK3. Usually a short burst of DDOS 15 to 20 sec works better. You will have to find the right mix respect to time of reaver, DDOS and pause to keep pin harvesting progressing. Each router even the same make/model and firmware reacts differently. This is why a config file is used. You can change the setting and test while the program is running

Thanks for all your hard work musket team. A couple days ago I just got into pentesting out of curiosity. I want to know if it is possible to customize the reaver command line in the script, because I can "sometimes" crack 1 or 2 of my routers with tweaked settings (without your script). I found out my router doesn't like the -S argument in reaver. At least that's what my little testing showed. Furthermore, I can't seem to crack my old router without providing the pin manually. Can you tell me where I should direct my questions on successfully cracking my old Asus router?

The VMR-MDK series are scripts designed to harvest pins from WPS locked routers. It is just a tool and does not replace the reaver command line. The config file allows you to remove the -S and adjust other variables. If you do not need to DDOS the router to collect pins or you do not see the need to change the mac constantly or have reaver stop and restart then just use the command line.

If you have a little understanding of Eterm and bash coding you can easily change the reaver output of a specific command line in VMR-MDK or if you send us what you want we will change a specific command line for you and post it.

However just play around with the variables in the reaver command line in a terminal window until you get the router to respond to reaver.

What would you like the video to be of? I have found, that there really is not a full proof cover all, you have to trail and error each router. The script they released works well but you will have to change settings of the script sometimes. Which the script itself and the help files that come with it do a great job of explaining. What would you like to see in the video?

The script itself is great, two questions though. If dh-small is selected is it persistent through to pixiewps? i.e. it needs enabling in both.

Is it possible to include the -C switch in the wash command as a norm? I have found where in the script it needs added (not bad for a non-programmer idiot) but as it would not affect those that don't get the error it would help those that do.

The -dhsmall matter versus pixiedust versus brute forcing WPS locked routers is addressed in the help file. Note if you retest 12345670 every X cycles reaver checks this pin with no --dhsmall thus sending complete Pixiedust data sequences for pixie1.1 to test. It also writes the session to a different file and folder so the brute force sequences are not upset. Again read the help files this matter is addressed there in detail.

We have never had any problems that rqr -C except when the wifi device didnot support packet injection.

Adding -C to wash should be coded by default to help the program run smoothly incase of any potential fcs errors. I sometimes get them and I edited the script to include it and then everything worked fine.

MTeams tested both the kali1.10 and kali 2.0 versions of VMR-MDK. We set the reaver live time to 30 seconds in both cases.

We think the problem is Config File item 21 Retest pin 12345670. Turn the retest feature OFF by selecting n/N. The program will then skip this feature which has a default value of 90 seconds and go straight to the time set in the config file..

Set Item 5 to the reaver live time required

Set Item 21 Retest pin 12345670 to n/N

You ??may?? find just setting the -r x:y in a reaver command line from the terminal window to -r 3:90 as an example OR using MTeams varmacscan2-8.sh a better approach in your case. You need to slow down pin collection.

If you are not sure run reaver with the -l --lock-delay=100 And let it run. Some routers unlock after 6,000 seconds just count the number of times reaver attempted to collect pins before a success and multiply by 100. Then set your -l below that number and slowly collect pins

VMR-MDK is designed to attack locked WPS systems. Read the help files and see if the router has the flaw outlined in these files.

You should read carefully thru the help files enclosed with the VMR-MDK package. MTeams use choice 1,3,4 and 14 alot. You simply need to test the router. This approach does not work on all routers. Again read the help files and pay attention to what the program is attempting to accomplish and what results are being obtained.

As we indicate in the help files, this approach works with a small subset of routers. The tests for effectiveness are outlined there. You probably have done nothing wrong.

The VMR-MDK approach is not meant to actually reset the router. In fact short bursts of mdk3 combinations 15 to 30 sec in length seems to work better then subjecting the router to long exposure to mdk3.

There are other paths you can take. Try our varmacscan2-8. It it a robotic script. Just start it before you leave your computer and let it run. Everything is automatic. If you are using 2016 you will have to wait a few days. We have a working lab variant being currently tested. If there are no major bugs it will be out in a week.

You can try ReVdk3 We have no experience with this script and are unsure if it works with kali 2.0 or 2016.

please is there a way to resume your session, i ran the script for the first time and chose 10 loops then decided to continue with 10000 loops, after the 10 was finished, but it started from beginning again, please how can i make it continue every time i re-run it.

VMR-MDK is an administrative program. It runs several divergent processes primarily wash - reaver -mdk3 in a sequence. The cycles you loaded are simply the number of times you want to cycle thru the four stages

If you are talking about pin counts reaver in the default setup checks for pin 12345670 every 10 cycles. so between cycle 1 and 10 reaver will run a brute force attack. Any keys checked ie your pin count is stored by reaver as the two reaver attack types are run as different sessions.

If this doe not help then outline in greater detail exactly is starting from the beginning.

Am sorry I didn't make the question quite clear, we'll anyways never mind. I have completed the hack. Woke up dis morning and found vmr had gotten my neighbors wps pin and d wpa pass. Tnx once again. I really appreciate.

What's left now is post exploitation, I dunno where to go from here, well one tin I noticed I logged Into the router with the default username and password, I tried restoring d wps pin to default but it seems like the router restarts or sumfin and den tells me I do not have permission to change the wps pin. Any ideas?? Tnx once again.

Am sorry I didn't make the question quite clear, we'll anyways never mind. I have completed the hack. Woke up dis morning and found vmr had gotten my neighbors wps pin and d wpa pass. Tnx once again. I really appreciate.

Hi everyone im new to kali and new to this script, i tried this script yesterday i got a pin number of a network but right after that reaver kept showing "Failed to associate with ..." ; one hour later i closed it and run reaver with that pin number but reaver kept showing the same message. Today is the same thing, i wrote down the bssid because wash does not detect it. The wifi on my smarthphone detects the network 2 of 3 bars of signal. What did i do wrong? If somebody could tell me ill apreciate it

Hi everyone im new to kali and new to this script, i tried this script yesterday i got a pin number of a network but right after that reaver kept showing "Failed to associate with ..." ; one hour later i closed it and run reaver with that pin number but reaver kept showing the same message. Today is the same thing, i wrote down the bssid because wash does not detect it. The wifi on my smarthphone detects the network 2 of 3 bars of signal. What did i do wrong? If somebody could tell me ill apreciate it

Well I don't really know much but, If u got a wps pin m quite sure you should also have gotten the wpa key. Asides that, are u sure wps is still enabled for that ap? A quick way to check Asides wash is using wifite, just type wifite in terminal and wait a bit to see results.
Try again and let's know what you found.

Well I don't really know much but, If u got a wps pin m quite sure you should also have gotten the wpa key. Asides that, are u sure wps is still enabled for that ap? A quick way to check Asides wash is using wifite, just type wifite in terminal and wait a bit to see results.
Try again and let's know what you found.

I tried with a different ap and after a got the pin of that ap the wps got disabled... Wifite shows no wps on both aps.. Any idea on what to do next?

1. The router was not WPA encrypted. We have routers in our areas that respond to wash but are not WPA encrypted.

2. We have seen routers which initially show WPS is enabled then giveup one pin and the WPS dissappears. We have gotten past the encrytption thru brute force or ESSIDPROBES. We have gone into the firmware remotely and looked at the setup. The WPS is enabled but no response from wash or reaver. Even resetting the router did not restore the wps even though the firmware showed WPS is enabled.

3. Your first attack was done thru the command line(CL) and you spoofed your mac BUT did not add the --mac= command to the reaver CL. This will cause a failure to get the WPA key with reaver.

4. From aircrack-forums we just received a report that some routers lock up after a 12345670 pin request. We afd exploring ryreaver-reverse and loading into varmacscan for some tests.

5. There is yet another security feature that we are at present unaware of reference the WPS system?

You could try Bully. MTeams though has had zero success with this program although others like the program. Hence if you ask, someone may help you.

From the networks available i picked 3 to use with these script, one dissapered without giving a pin and the others two gave me the same pin number and dissapered right after thay. Wash does not detect them, wifite does detect them with no wps (those aps had wps at the beginning). When i got the pins I tried using the reaver command like this "reaver -i wlan0mon -vv -S -b (bssid) -c (channel) -p (pin)" but it showed the same message "failed to associate..." did i put the command right?. And thanks for the replay to be honest im new to linux and using commands...

I tried bully "bully wlan1mon -b (bssid) -e (essid) -c (channel)" on the 3 networks and it says "the ap doesn't to be wps enabled". I guess there is no way to get those networks key (good security?).
I tried a different network with the script and now im on
"Pin count: 11 ...
Wps transaction failed (code: 0x02), re-trying last pin"
Sometimes it keeps counting the pin some times it shows the same message, should i stop it or does this mean its working?